Where is your Windows Password stored?


Windows Password is stored in the SAM File located at C:\Windows\System32\config. The file is locked and cannot be moved while Windows is running. The Windows Password is also stored in another location, in the SAM Registry under HKEY_ LOCAL_MACHINE.


How is your Windows Password stored?

Windows Password is not stored in plain text, it is hashed:
Mark CA:1000:aad3b435b51404eeaad3b435b51404ee:b9f917853e3dbf6e6831ecce60725930:::

  • First field: the username
  • Second field: the SID (Security IDentifier) for that username
  • Third field: the LM hash
  • Forth field: the NTLM hash

When a user tries to log in to its account, Windows will calculate a hash of the password typed in. If the hash is equal to the password hash stored the SAM registry file, the authentication succeeds. Otherwise, Windows will show an error message that the credentials are incorrect.


Memory Forensics acquisition and analysis


This example uses the tool AccessData FTK Imager.

Step 1: Get the memory dump

Go to File > Capture Memory.
Select a destination path such as your Desktop and click Capture Memory.

FTK Imager Memory Capture
Step 2: Choose a memory forensics tool

Volatility is an open source framework used or memory Forensics and can analyze RAM in both 32bit and 64bit systems.
The main goal of using Volatility is its ability to peruse through Windows registry using some modules.
The list of registry analysis modules is available at “Registry Analysis Plugins” section on SANS website: https://digital-forensics.sans.org/media/volatility-memory-forensics-cheat-sheet.pdf


Step 3: Select the correct profile for volatility

Before analyzing the memory dump with volatility, the OS profile should be defined at first. For example, if the memory image is a 64-bit Windows, the profile is Win10x64.
If the command line doesn't show any result, then you will have to specify the OS version in the profile section.
On Windows 10, you can find the OS version in the System Information Panel.

System Information Panel Windows
Then the profile is Win10x64_16299.
The syntax is:
python vol.py [plugin] -f memdump.mem --profile= Win10x64_16299


Step 4: Get the SYSTEM hive and the SAM hive’s offset

With hivelist plugin we can list all available hives with their offset.
The syntax is:
python vol.py hivelist -f memdump.mem --profile= Win10x64_16299

Result:
0x9aad6148 0x131af148 \SystemRoot\System32\Config\SAM
0x9ab25008 0x14a61008 \SystemRoot\System32\Config\SECURITY
0x9aba79d0 0x11a259d0 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0x9abb1720 0x0a7d4720 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0x82b6b140 0x02b6b140 [no name]
0x8b20c008 0x039e1008 [no name]
0x8b21c008 0x039ef008 \REGISTRY\MACHINE\SYSTEM


Step 5: Get the NTLM hashes

Now using the hashdump plugin we will extract the hashes. Two parameters must be specified: “-y” which is the system hive offset and “-s” which is the SAM hive offset.
For this example:

  • The SAM hive offset is 0x9aad6148
  • The system hive offset is 0x8b21c008

Thus, the syntax is:
python vol.py hashdump -f memdump.mem --profile= Win10x64_16299 -y 0x8b21c008 -s 0x9aad6148 > hashes.txt


Step 6: Recover NTLM password from the hashes

Online tools such as hashkiller NTLM Cracker and Crackstation can help you to get the plain-text password from the NTLM hashes. There are other brute force tools like john the ripper which require a word dictionary. If you are using Kali, you will find rockyou.txt at /usr/share/wordlists.


Example with fgdump


1. Download the current stable version from http://foofus.net/goons/fizzgig/fgdump/downloads.htm
2. From a terminal, type .\fgdump.exe
3. After a few seconds three files are created
4. The hashes are stored in 127.0.0.1.pwdump
5. Edit this file with notepad to get the hashes
6. Crack the hashes like described in part 6

fdgump output